| // Copyright 2020 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "chrome/browser/safe_browsing/chrome_enterprise_url_lookup_service.h" |
| |
| #include "base/callback.h" |
| #include "base/task/post_task.h" |
| #include "chrome/browser/profiles/profile.h" |
| #include "chrome/browser/safe_browsing/dm_token_utils.h" |
| #include "components/policy/core/common/cloud/dm_token.h" |
| #include "components/safe_browsing/core/common/thread_utils.h" |
| #include "components/safe_browsing/core/proto/realtimeapi.pb.h" |
| #include "components/safe_browsing/core/realtime/policy_engine.h" |
| #include "components/safe_browsing/core/realtime/url_lookup_service_base.h" |
| #include "components/safe_browsing/core/verdict_cache_manager.h" |
| #include "net/traffic_annotation/network_traffic_annotation.h" |
| #include "services/network/public/cpp/shared_url_loader_factory.h" |
| #include "url/gurl.h" |
| |
| namespace safe_browsing { |
| |
| ChromeEnterpriseRealTimeUrlLookupService:: |
| ChromeEnterpriseRealTimeUrlLookupService( |
| scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory, |
| VerdictCacheManager* cache_manager, |
| Profile* profile) |
| : RealTimeUrlLookupServiceBase(url_loader_factory, cache_manager), |
| profile_(profile) {} |
| |
| ChromeEnterpriseRealTimeUrlLookupService:: |
| ~ChromeEnterpriseRealTimeUrlLookupService() = default; |
| |
| void ChromeEnterpriseRealTimeUrlLookupService::StartLookup( |
| const GURL& url, |
| RTLookupRequestCallback request_callback, |
| RTLookupResponseCallback response_callback) { |
| DCHECK(CurrentlyOnThread(ThreadID::UI)); |
| DCHECK(url.is_valid()); |
| |
| // Check cache. |
| std::unique_ptr<RTLookupResponse> cache_response = |
| GetCachedRealTimeUrlVerdict(url); |
| if (cache_response) { |
| base::PostTask(FROM_HERE, CreateTaskTraits(ThreadID::IO), |
| base::BindOnce(std::move(response_callback), |
| /* is_rt_lookup_successful */ true, |
| std::move(cache_response))); |
| return; |
| } |
| |
| auto request = std::make_unique<RTLookupRequest>(); |
| request->set_url(SanitizeURL(url).spec()); |
| request->set_lookup_type(RTLookupRequest::NAVIGATION); |
| DCHECK(GetDMToken().is_valid()); |
| request->set_dm_token(GetDMToken().value()); |
| |
| std::string req_data; |
| request->SerializeToString(&req_data); |
| |
| SendRequestInternal(GetResourceRequest(), req_data, url, |
| std::move(response_callback)); |
| |
| base::PostTask(FROM_HERE, CreateTaskTraits(ThreadID::IO), |
| base::BindOnce(std::move(request_callback), std::move(request), |
| /*access_token=*/"")); |
| } |
| |
| bool ChromeEnterpriseRealTimeUrlLookupService::CanPerformFullURLLookup() const { |
| return RealTimePolicyEngine::CanPerformEnterpriseFullURLLookup( |
| profile_->GetPrefs(), GetDMToken().is_valid(), |
| profile_->IsOffTheRecord()); |
| } |
| |
| bool ChromeEnterpriseRealTimeUrlLookupService::CanCheckSubresourceURL() const { |
| return false; |
| } |
| |
| bool ChromeEnterpriseRealTimeUrlLookupService::CanCheckSafeBrowsingDb() const { |
| return safe_browsing::IsSafeBrowsingEnabled(*profile_->GetPrefs()); |
| } |
| |
| policy::DMToken ChromeEnterpriseRealTimeUrlLookupService::GetDMToken() const { |
| return ::safe_browsing::GetDMToken(profile_); |
| } |
| |
| net::NetworkTrafficAnnotationTag |
| ChromeEnterpriseRealTimeUrlLookupService::GetTrafficAnnotationTag() const { |
| // Safe Browsing Zwieback cookies are not sent for enterprise users, because |
| // DM tokens are sufficient for identification purposes. |
| return net::DefineNetworkTrafficAnnotation( |
| "enterprise_safe_browsing_realtime_url_lookup", |
| R"( |
| semantics { |
| sender: "Safe Browsing" |
| description: |
| "This is an enterprise-only feature. " |
| "When Safe Browsing can't detect that a URL is safe based on its " |
| "local database, it sends the top-level URL to Google to verify it " |
| "before showing a warning to the user." |
| trigger: |
| "When the enterprise policy EnterpriseRealTimeUrlCheckMode is set " |
| "and a main frame URL fails to match the local hash-prefix " |
| "database of known safe URLs and a valid result from a prior " |
| "lookup is not already cached, this will be sent." |
| data: |
| "The main frame URL that did not match the local safelist and " |
| "the DM token of the device." |
| destination: GOOGLE_OWNED_SERVICE |
| } |
| policy { |
| cookies_allowed: NO |
| setting: |
| "This is disabled by default and can only be enabled by policy " |
| "through the Google Admin console." |
| chrome_policy { |
| EnterpriseRealTimeUrlCheckMode { |
| EnterpriseRealTimeUrlCheckMode: 0 |
| } |
| } |
| })"); |
| } |
| |
| } // namespace safe_browsing |